Examples of org.springframework.security.core.Authentication

• org.springframework.security.core.Authentication
  Represents the token for an authentication request or for an authenticated principal once the request has been processed by the {@link AuthenticationManager#authenticate(Authentication)} method.

  Once the request has been authenticated, the Authentication will usually be stored in a thread-local SecurityContext managed by the {@link SecurityContextHolder} by the authentication mechanism which isbeing used. An explicit authentication can be achieved, without using one of Spring Security's authentication mechanisms, by creating an Authentication instance and using the code:

   SecurityContextHolder.getContext().setAuthentication(anAuthentication); 

  Note that unless the Authentication has the authenticated property set to true, it will still be authenticated by any security interceptor (for method or web invocations) which encounters it.

  In most cases, the framework transparently takes care of managing the security context and authentication objects for you. @author Ben Alex

     */
    public void testAuthenticateError() {
        OpenIDAuthenticationProvider provider = new OpenIDAuthenticationProvider();
        provider.setUserDetailsService(new MockUserDetailsService());

        Authentication preAuth = new OpenIDAuthenticationToken(OpenIDAuthenticationStatus.ERROR, USERNAME, "", null);

        assertFalse(preAuth.isAuthenticated());

        try {
            provider.authenticate(preAuth);
            fail("Should throw an AuthenticationException");
        } catch (AuthenticationServiceException expected) {

     */
    public void testAuthenticateFailure() {
        OpenIDAuthenticationProvider provider = new OpenIDAuthenticationProvider();
        provider.setAuthenticationUserDetailsService(new UserDetailsByNameServiceWrapper<OpenIDAuthenticationToken>(new MockUserDetailsService()));

        Authentication preAuth = new OpenIDAuthenticationToken(OpenIDAuthenticationStatus.FAILURE, USERNAME, "", null);

        assertFalse(preAuth.isAuthenticated());

        try {
            provider.authenticate(preAuth);
            fail("Should throw an AuthenticationException");
        } catch (BadCredentialsException expected) {

     */
    public void testAuthenticateSetupNeeded() {
        OpenIDAuthenticationProvider provider = new OpenIDAuthenticationProvider();
        provider.setUserDetailsService(new MockUserDetailsService());

        Authentication preAuth = new OpenIDAuthenticationToken(OpenIDAuthenticationStatus.SETUP_NEEDED, USERNAME, "", null);

        assertFalse(preAuth.isAuthenticated());

        try {
            provider.authenticate(preAuth);
            fail("Should throw an AuthenticationException");
        } catch (AuthenticationServiceException expected) {

     */
    public void testAuthenticateSuccess() {
        OpenIDAuthenticationProvider provider = new OpenIDAuthenticationProvider();
        provider.setUserDetailsService(new MockUserDetailsService());

        Authentication preAuth = new OpenIDAuthenticationToken(OpenIDAuthenticationStatus.SUCCESS, USERNAME, "", null);

        assertFalse(preAuth.isAuthenticated());

        Authentication postAuth = provider.authenticate(preAuth);

        assertNotNull(postAuth);
        assertTrue(postAuth instanceof OpenIDAuthenticationToken);
        assertTrue(postAuth.isAuthenticated());
        assertNotNull(postAuth.getPrincipal());
        assertTrue(postAuth.getPrincipal() instanceof UserDetails);
        assertNotNull(postAuth.getAuthorities());
        assertTrue(postAuth.getAuthorities().size() > 0);
        assertTrue(((OpenIDAuthenticationToken) postAuth).getStatus() == OpenIDAuthenticationStatus.SUCCESS);
        assertTrue(((OpenIDAuthenticationToken) postAuth).getMessage() == null);
    }

        if (SecurityContextHolder.getContext().getAuthentication() == null) {
            credentialsNotFound(messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound",
                    "An Authentication object was not found in the SecurityContext"), object, attributes);
        }

        Authentication authenticated = authenticateIfRequired();

        // Attempt authorization
        try {
            this.accessDecisionManager.decide(authenticated, object, attributes);
        }
        catch (AccessDeniedException accessDeniedException) {
            publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated, accessDeniedException));

            throw accessDeniedException;
        }

        if (debug) {
            logger.debug("Authorization successful");
        }

        if (publishAuthorizationSuccess) {
            publishEvent(new AuthorizedEvent(object, attributes, authenticated));
        }

        // Attempt to run as a different user
        Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attributes);

        if (runAs == null) {
            if (debug) {
                logger.debug("RunAsManager did not change Authentication object");
            }

     * <tt>alwaysReauthenticate</tt> has been set to true.
     *
     * @return an authenticated <tt>Authentication</tt> object.
     */
    private Authentication authenticateIfRequired() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        if (authentication.isAuthenticated() && !alwaysReauthenticate) {
            if (logger.isDebugEnabled()) {
                logger.debug("Previously Authenticated: " + authentication);
            }

            return authentication;

     * abstract parent enforces that logic, which is extensively tested separately.
     */
    @Test
    public void testSuccessfulInvocation() throws Throwable {
        // Setup a Context
        Authentication token = new TestingAuthenticationToken("Test", "Password", "NOT_USED");
        SecurityContextHolder.getContext().setAuthentication(token);

        FilterInvocation fi = createinvocation();

        when(ods.getAttributes(fi)).thenReturn(SecurityConfig.createList("MOCK_OK"));

        verify(publisher, never()).publishEvent(any(AuthorizedEvent.class));
    }

    @Test
    public void afterInvocationIsNotInvokedIfExceptionThrown() throws Exception {
        Authentication token = new TestingAuthenticationToken("Test", "Password", "NOT_USED");
        SecurityContextHolder.getContext().setAuthentication(token);

        FilterInvocation fi = createinvocation();
        FilterChain chain = fi.getChain();

    // SEC-1967
    @Test
    @SuppressWarnings("unchecked")
    public void finallyInvocationIsInvokedIfExceptionThrown() throws Exception {
        SecurityContext ctx = SecurityContextHolder.getContext();
        Authentication token = new TestingAuthenticationToken("Test", "Password", "NOT_USED");
        token.setAuthenticated(true);
        ctx.setAuthentication(token);

        RunAsManager runAsManager = mock(RunAsManager.class);
        when(runAsManager.buildRunAs(eq(token), any(), anyCollection())).thenReturn(new RunAsUserToken("key", "someone", "creds", token.getAuthorities(), token.getClass()));
        interceptor.setRunAsManager(runAsManager);

        FilterInvocation fi = createinvocation();
        FilterChain chain = fi.getChain();

    protected String determineExpiredUrl(HttpServletRequest request, SessionInformation info) {
        return expiredUrl;
    }

    private void doLogout(HttpServletRequest request, HttpServletResponse response) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();

        for (LogoutHandler handler : handlers) {
            handler.logout(request, response, auth);
        }
    }